Web Provisioning - Policy for Eligibility and Acceptable Use of IT Resources

Eligibility and Acceptable Use Policy for Information Technology

This document describes the Eligibility and Acceptable Use Policy for Information Technology

The University of Chicago provides information technology for educational, research, and administrative applications by its students, faculty, and staff. This Eligibility and Acceptable Use Policy stems from the University's Statutes and Bylaws and from its more general policies and procedures governing faculty, students, staff, and facilities.1 With only a few exceptions, the present policy simply applies these larger policies and procedures to the narrower information-technology context. It balances the individual's ability to benefit fully from information technology and the University's need for a secure and reasonably allocated information-technology environment. In general, University faculty, students, and staff may use University information technology (which includes privately-owned computers connected to the University network) in connection with the University's core teaching, research, and service missions. Certain non-core uses that do not consume resources or interfere with other users also are acceptable. Under no circumstances may faculty, students, staff, or others use University information technology in ways that are illegal, that threaten the University's tax-exempt or other status, or that interfere with reasonable use by other members of the University community. Violations of information-technology rules and policies typically result in University disciplinary action, which may have serious consequences. The information-technology Eligibility and Acceptable Use Policy begins with a few principles, defines several categories into which users and applications of information technology fall, and specifies which users may use University information technology for which applications. The footnotes in this document provide explanations, illustrations, and examples of how the policy works in practice, but it is the policy, and not the explanatory material, which governs specific instances. Principles Three general principles underlie eligibility and acceptable-use policies for information technology: University information technology is for University faculty, students, and staff to use for core University purposes. Any use counter to this, or which interferes with core use by others, is unacceptable. Some applications of University information technology are unacceptable even if they serve core purposes.

Definitions:
University Information Technology Any computer, networking device, telephone, copier, printer, fax machine, or other information technology which is owned by the University or
is licensed or leased by the University
is subject to University policies. In addition, any information technology which connects directly to the University data or telephone networks, uses University network-dialup facilities (the campus modem pool), connects directly to a computer or other device owned or operated by the University, and/or otherwise uses or affects University information-technology facilities is subject to University information-technology policies, no matter who owns it

Users

Three broad classes of potential users have different privileges:
Regular Users, who are entitled to use all or most University technology and services,
Special Users, who are entitled to use specific limited services for specific purposes under specific conditions, and
Excluded Users, who are not entitled to use University information technology.
Regular Users
In general, only current undergraduate and graduate students3 and current non-temporary regular faculty and staff4 of the University are regular Users. Faculty, student, and staff status does not extend to family members or colleagues who are not themselves Regular Users.
Special Users
Special Users comprise certain individuals and specified classes of University affiliates to whom the University provides a tightly limited subset of University information technologies and services. The specified special-user classes consist primarily of certain organizations affiliated with the University and their staff and of certain categories of students. They also include certain individuals working temporarily at the University under the explicit sponsorship of an administrative or academic department.5 The Chief Information Technology Officer authorizes special-user classes and individual special users, under the authority of the President. The Chief Information Technology Officer determines which individuals or organizations on campus are responsible for use (or misuse) of information technology by Special Users and any associated costs. Special Users abide by all relevant University policies. In general, they reimburse the University or pay directly for the cost of the services they receive. Special User privileges may end without notice. Special Users in a specified class retain no University information-technology privileges once they leave that class. Individual Special Users receive privileges only for a period specified at the outset.
Excluded Users
These are all individuals or organizations that are not Regular Users or Special Users.

Applications Here again three distinct categories are important:
Core applications, those clearly associated with the University's core education, research, or service, either directly or through University administration,
Restricted applications, those clearly unrelated to the University's core purposes, or which violate general University policies, jeopardize its tax-exempt or other circumstances, or otherwise interfere with core applications, and
Ancillary applications, which do not fall clearly into either of the preceding two categories and which do not interfere with Core applications.

Core Applications
These support University instruction, research, service, and administration. Classroom use, computer-based assignments, research applications, communication among faculty, students, and administrators, administrative applications, access to University-related information, and similar applications all are Core applications. Restricted Applications
Restricted applications of University information technology primarily include
those that threaten the University's tax-exempt status, such as certain kinds of political activity and most commercial activity,
those that are illegal, such as fraud, harassment, copyright violation, and child pornography,
those that deprive other users of their fair share of University information technology or interfere with the functioning of central networks and systems, such as mass mailings, chain letters, unauthorized high-bandwidth applications, or denial-of-service attacks, and
those that violate more general University Statutes, Bylaws, and policies. Disclaimers do not render Restricted applications acceptable. The only recourse available to someone interested in such applications is to use non-University computers, networks, and other technologies.
Ancillary Applications
Ancillary applications are easy to list, but difficult to define. Examples are plentiful: using a University phone to make a dentist appointment, a University-connected personal computer to host small-scale personal (but non-commercial) Web pages, University servers to send and receive for modest amounts of personal electronic mail, a University fax machine to get a vacation itinerary from a travel agent, and the like. In general, Ancillary applications are those neither explicitly permitted nor explicitly restricted, and with one other essential attribute: they are invisible to other users, to network and system administrators, and to other University offices. Ancillary applications consume only resources that would otherwise go to waste, and never require any action or intervention by anyone at the University other than their user. As a rule, Ancillary applications that become visible to others or burden systems are ipso facto no longer Ancillary, but Restricted. Eligibility and Acceptable Use
No one may use University information technology for Restricted purposes without explicit written authorization from the Chief Information Technology Officer, who consults the President, the Provost, the General Counsel, and other officials as appropriate. Except for the preceding restriction, Regular Users may use the full array of University information technology for Core applications. Only Regular Users are eligible to use most centrally-funded technology, including public computing clusters and classrooms, and University help desks and technical support. Except for a few specific exceptions, only Regular Users are eligible to use the University data network, including its dialup modem pool.6 There is one major exception to Regular Users' general rights to use information technology for Core applications. If any application of information technology, however permissible otherwise, disables computers or network services, consumes disproportionate enough resources that other users are denied reasonable access to information technology, or induces substantial costs outside the user's Department, then that application is Restricted.7 In general, Regular Users also may use campus telephones, the campus network, and personally or departmentally owned computers for Ancillary applications.8 However, even Regular Users may not use information technology in ways that interfere with others,9 or that consume University resources other than those directly under the user's control.10 In general, any Ancillary use of the University network that becomes apparent to other users thereby becomes Restricted, and unacceptable. Special Users may use University information technology only insofar as they are specifically authorized to do so. Except for certain materials and facilities the University explicitly makes available to the general public, Excluded Users may not use University information technology in any way. Where definitions of user or application status are unclear, or where patterns of use appear to be out of compliance with this policy, the Chief Information Technology Officer provides interpretations or direction as appropriate on behalf of the President and the University. Where necessary, the Chief Information Technology Officer consults the President, other Officers of the University, General Counsel, and the Board of Computing Activities and Services for further advice and guidance.

Roles and Responsibilities The University
The University owns most of the computers and all of the internal computer networks used on campus. The University also has various rights to the software and information residing on, developed on, or licensed for these computers and networks. The University (including central organizations and academic Divisions, Schools, and Departments) administers, protects, and monitors this aggregation of computers, software, and networks. In its management of information technology, the University and its administrative and academic departments take responsibility for Focusing central information technology resources on activities connected with instruction, research, and administration; Protecting University networks and other shared facilities from malicious or unauthorized use;
11 Ensuring that central University computer systems do not lose important information because of hardware, software, or administrative failures or breakdowns;12 Managing computing resources so that members of the University community are not denied fair access to them;
13 Establishing and supporting reasonable standards of security for electronic information that community members produce, use, or distribute, and ensuring the privacy and accuracy of administrative information that the University maintains; Delineating the limits of privacy that can be expected in the use of networked computer resources and preserving freedom of expression over this medium without countenancing abusive or unlawful activities; Monitoring policies and communicate changes in policy as events or technology warrant; and Enforcing policies by restricting access and initiating disciplinary proceedings as appropriate.
14 The Individual
The University of Chicago supports networked information resources to further its mission of research and instruction and to foster a community of shared inquiry. All members of the University community must be cognizant of the rules and conventions that make these resources secure and efficient. Users of University information technology take responsibility for Using resources efficiently, and accepting limitations or restrictions on computing resources - such as storage space, time limits, or amount of resources consumed - when asked to do so by systems administrators; Protecting passwords and and respecting security restrictions on all systems;
15 Backing up files and other data regularly;
16 Preventing unauthorized network access to or from their computers or computer accounts;
17 Recognizing the limitations to privacy afforded by electronic services;18 Respecting the rights of others to be free from harassment or intimidation, to the same extent that this right is recognized otherwise on campus; and Honoring copyright and other intellectual-property rights.

Sanctions and Procedures
When any use of information technology at the University presents an imminent threat to other users or to the University's technology infrastructure, system operators may take whatever steps are necessary to isolate the threat, without notice if circumstances so require. This may include changing passwords, locking files, disabling computers, or disconnecting specific devices or entire sub-networks from University, regional, or national voice and data networks. System operators restore connectivity and functionality as soon as possible after they identify and neutralize the threat. Telephones, computers, network connections, accounts, usernames, authorization codes, and passwords are issued to Regular Users and Special Users to identify them as eligible users of University information technology. Users are responsible for not sharing their privileges with others, and especially for ensuring that authorization codes and passwords remain confidential. Users of computers connected to the campus network, permanently or temporarily, are responsible for ensuring that unauthorized users do not thereby gain access to the campus network or to licensed resources. Use of information technology that violates this Policy and rules based on it may result in disciplinary proceedings and, in some cases, in legal action. Disciplinary proceedings involving information technology are the same as those for violations of other University policies, and may have serious consequences. Unauthorized use of University information technology by Excluded Users may result in police intervention or legal action. April 2000

1 The present document updates and extends the Provost's Policy on Information Technology Resources last revised in 1995. Since 1995 the interconnection, pervasiveness, and importance of information technology at the University have grown. The susceptibility of individual devices to network-based interference from others and the infiltration of non-University users into the campus network, neither anticipated by the earlier policy, have increased dramatically. Moreover, the earlier document did not address eligibility. The Eligibility and Acceptable Use Policy for Information Technology is implemented by the Chief Information Technology Officer under the authority of the President, in consultation with the Board of Computing Activities and Services.
2 A computer owned personally by a student, faculty member, or staff member is subject to University policy while it connects to the University network directly or through a dialup connection. An individual may not grant access privileges to other individuals on a computer in violation of the general eligibility policy below, even if that computer is personally owned. If a computer is connected to the University network, access from that computer to the rest of the campus network can only be made available to individuals otherwise authorized to use the campus network. This includes email, Web services, file transfer, Internet Relay Chat (IRC), telnet, and any other network traffic. The only major exceptions to this are three. So long as it does not interfere with use of the network by others, a computer on the University network in general may function as a Web server to outsiders. It may allow file transfer to and from itself (but not other computers). It may host mailing lists including non-University individuals. Conversely, a computer on the University network in general may not provide proxy Web service to outsiders. It may not provide email services to outsiders (or otherwise enable outsiders to identify themselves as being at the University of Chicago). It may not permit outsiders to use telnet or similar protocols to reach other computers on campus or elsewhere.
3 The Registrar determines who is a current student, following categories and policies outlined in the Student Information Manual, and provides this information directly to IT Services and other organizations.
4 University Human Resources Management determines who is a member of the faculty or staff. In certain specific cases IT Services and academic or administrative Departments agree on authorization and database mechanisms to deal with special cases such as visiting faculty, temporary staff, and long-term consultants. In general, however, eligibility for the full array of information-technology services is determined by permanent-staff status in central University databases.
5 For example, some affiliated organizations purchase telephone services from IT Services Voice & Data Networking (such as the University Hospitals) or buy computers through its Campus Computer Stores (such as the Lutheran Theological Seminary and NORC). Members of these organizations and certain other individuals (for example, faculty, student, and staff family members, and University alumni) may use the University's fee-for-service dialup modem pool at the University's negotiated rates. Individuals with appropriate Library privileges may use online databases and other materials accessible therein.
6 The "free" campus modem pool is only for Core applications. Regular Users who need dialup access for other purposes, such as family access to the Internet or private consulting, must use the University's fee-for-service dialup provider or another Internet service provider at their own expense.
7 Just because a given application does not violate information-technology policy the application itself is not otherwise defensible. For example, a student who posts on a public Web site the answers to a test other students have yet to take may not be violating information-technology policies, but he or she almost certainly is violating the University's rules against cheating.
8 A classic example of acceptable Ancillary use is a staff member using a University phone to order a birthday cake for a son or daughter. (Whether this interferes with work is a larger, non-technological issue.) Much private email sent over the University network is precisely analogous: the individual who sends and receives it gains convenience, a tangible benefit, while the University and other members of its community lose nothing. Even if some applications such as these cause small costs - such as local-call costs, or small amounts of printing - they remain acceptable in much the way similar non-technological costs have always been.
9 A classic example of apparently Ancillary but nevertheless unacceptable use is a student computer on the University network running a wildly popular Web server whose content is not Restricted but that ties up the dormitory network. Note that in this case the unacceptable activity running an educationally-irrelevant Web server, which is neither Core nor Restricted, but rather the Web server's interference with others.
10 For example, discussion among online participants in a faculty-sponsored, University-hosted discussion group irrelevant to University education or research might become heatedly ad hominem. Participants might ask the University to act against other participants, or to force the faculty sponsor to include or exclude certain participants. Or a third party might take exception to pejorative comments, and, based on the discussion server's location on the University network, institute legal action against the University. The discussion group thus consumes University resources (such as General Counsel time). Because the discussion group is an ancillary use of information technology, its consumption of University resources makes it an unacceptable use of University information technology.
11 To achieve this, IT Security staff may disable network access for devices which show signs of being compromised. Additionally, IT Security staff may mandate security configurations or patches for specific devices or all devices on the network, and may pre-emptively disable network access for devices which do not meet the required criteria.
12 To achieve this objective, authorized systems or technical managers occasionally need to examine the contents of particular files to diagnose or solve problems.
13 To achieve this, authorized staff occasionally restrict inequitable use of shared systems or of the network. For example, the University may require users to refrain from using any program that is unduly resource-intensive.
14 Authorized systems administrators occasionally find it necessary to lock a user's account. If the situation is not resolved within 24 hours, the matter goes to the appropriate University officer for follow-up and resolution.
15 Users must establish appropriate passwords, change them occasionally, and never share them with others. Users may not attempt to evade, disable, or "crack" passwords or other security provisions. These activities threaten the work of others and are grounds for immediate disciplinary action. Unauthorized copying of files or passwords belonging to others or to the University may constitute plagiarism or theft. Modifying files without authorization (including altering information, introducing viruses or Trojan horses, or damaging files) is unethical, may be illegal, and can lead to disciplinary action.
16 Users must maintain and archive backup copies of important work. Users are responsible for backing up their own files. They should not assume that files on shared machines are backed up. If users choose to participate in a backup service, they must become familiar with the schedules and procedures of that service. They also must learn to use properly the features for securing or sharing access to their files.
17 In particular, owners or operators of computers on the University network may not grant accounts on their computers or other access to anyone but Regular Users according to the policy definition.
18 The security of electronic files on shared systems and networks is limited. Although most people respect security and privacy mechanisms, they are not foolproof. Electronic mail and other network communications are susceptible to interception absent active steps to protect them, such as encryption.